常見問題
Ans: 對於特定的 log 內容,要增加一條新規則,該如何驗證是否有效。
需要過濾的 log 內容:
[2015-01-28 05:40:16] NOTICE[-1] Ext. 9015448702956577: Incoming SIP connection from unknown peer failed for 31.3.244.234 - Unknown connection from peer
在 /etc/fail2ban/filter.d/asterisk.conf 增加一條新規則
NOTICE.* .*: Incoming SIP connection from unknown peer failed for <HOST> - Unknown connection from peer
要驗證此規則是否有效,可以使用以下指令
#> fail2ban-regex /var/log/asterisk/fail2ban "NOTICE.* .*: Incoming SIP connection from unknown peer failed for <HOST> - Unknown connection from peer"
TIPS:
fail2ban-regex <path/to/log> <failregex or /etc/fail2ban/filter.s/XXX.conf>
Ans: 檢查 /etc/fail2ban/fail2ban.conf
#logtarget = SYSLOG logtarget = /var/log/fail2ban.log
重啟 fail2ban 服務
使用 fail2ban-client 檢查,明明 log 內有異常連線,但卻無法 ban IP
# fail2ban-client status Status |- Number of jail: 1 `- Jail list: asterisk-iptables # fail2ban-client status asterisk-iptables |- filter | |- File list: /var/log/asterisk/fail2ban | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
解決方法:
編輯 /etc/asterisk/logger.conf
;syslog keyword : This special keyword logs to syslog facility ;將下行註解拿掉 syslog.local0 => notice,warning,error
Reload Asterisk
# iptables -D fail2ban-ASTERISK -s 123.123.123.123 -j DROP 或 # iptables -L fail2ban-ASTERISK -nv --line-number Chain fail2ban-ASTERISK (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 134.213.134.172 0.0.0.0/0 2 0 0 DROP all -- * * 46.105.127.222 0.0.0.0/0 3 0 0 DROP all -- * * 116.255.152.101 0.0.0.0/0 4 1364 363K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # iptables -D fail2ban-ASTERISK 2 ;刪除第 2 規則
CLI Log:
Received incoming SIP connection from unknown peer to 003333002972597886748"
NOTE:
Ans:
1. 編輯 /etc/asterisk/extensions.conf
[from-sip-external] ; 註解原有內容,加上以下內容 exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN}) exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})}) exten => _.,n,Set(foo=${SIPCHANINFO(recvip)}) exten => _.,n,Log(NOTICE,Incoming SIP connection from unknown peer failed for ${foo} - Unknown connection from peer) exten => _.,n,Hangup exten => h,1,Hangup exten => i,1,Hangup exten => t,1,Hangup
套用新設定
asterisk -rx "dialplan reload"
2. 編輯 /etc/fail2ban/filter.d/asterisk.conf
... failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password ... ... NOTICE.* .*: Incoming SIP connection from unknown peer failed for <HOST> - Unknown connection from peer
套用新設定
service fail2ban restart
在 Asterisk 1.11+)
Failed to authenticate device 1005<sip:1005@123.123.123.123>;tag=2071f8ca
在 Asterisk 1.8)
Sending fake auth rejection for device 100<sip:100@123.123.123.123>;tag=99fdd5d7
123.123.123.123 is my external IP of PBX
Ans:不同 Asterisk 版本的解決方法
Asterisk 11)
此版新增一個 Security Log Level 的功能,透過啟用這個,可以記錄攻擊者的來源 IP,然後再透過 fail2ban 去阻擋。
編輯 /etc/fail2ban/filter.d/asterisk.conf
加上 SECURITY 那行
failregex = Registration from '.*' failed for '<HOST>:.*' - Wrong password ... ... SECURITY.* .*: SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
教學連結:
Asterisk 1.8/1.6)
舊版的 Asterisk 要阻擋這類行為,只能修改原始檔 channels/chan_sip.c,使系統可以記錄攻擊者的來源 IP,修改後必須重新編譯 Asterisk 才能被套用,再設定 fail2abn 去阻擋。
教學連結:https://bugs.debian.org/cgi-bin/bugr...cgi?bug=706739
TIP:
在舊版的 Asterisk 還有一個方法,不用修改 chan_sip.c 原始檔,詳細資訊請參閱本篇其他章節。